AGENCY:

Federal Communications Commission.

ACTION:

Proposed action.

SUMMARY:

In this document, the Wireline Competition Bureau (the Bureau) seeks comment on petitions seeking permission to use E-Rate program funds to support advanced or next-generation firewalls and services, as well as the related funding year 2023 ESL proceeding filings. In so doing, the Bureau highlights four filings that together cover the requests and issues raised by the filers listed in this document.

DATES:

Comments are due February 13, 2023 and reply comments are due March 30, 2023.

ADDRESSES:

Pursuant to §§ 1.415 and 1.419 of the Federal Communications Commission's (Commission's) rules, 47 CFR 1.415, 1.419, interested parties may file comments on or before February 13, 2023, and reply comments on or before March 30, 2023. All filings should refer to WC Docket No. 13-184. Comments may be filed by paper or by using the Commission's Electronic Comment Filing System (ECFS). See Electronic Filing of Documents in Rulemaking Proceedings,63 FR 24121 (1998).

Electronic Filers: Comments and replies may be filed electronically using the internet by accessing ECFS: http://www.fcc.gov/​ecfs.

Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. If more than one docket or rulemaking number appears in the caption of this proceeding, filers must submit two additional copies for each additional docket or rulemaking number.

Filings can be sent by commercial overnight courier or by first-class or overnight U.S. Postal Service mail. Filings must be addressed to the Commission's Secretary, Office of the Secretary, Federal Communications Commission.

Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701.

U.S. Postal Service first-class, Express, and Priority mail must be addressed to 45 L St. NE, Washington, DC 20554.

Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. This is a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19 ( see FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy, Public Notice, DA 20-304 (March 19, 2020)) https://www.fcc.gov/​document/​fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.

FOR FURTHER INFORMATION CONTACT:

Joseph Schlingbaum, Wireline Competition Bureau, (202) 418-7400 or by email at Joseph.Schlingbaum@fcc.gov. The Commission asks that requests for accommodations be made as soon as possible in order to allow the agency to satisfy such requests whenever possible. Send an email to fcc504@fcc.gov or call the Consumer and Governmental Affairs Bureau at (202) 418-0530.

SUPPLEMENTARY INFORMATION:

This is a summary of the Bureau's Public Notice (Notice) in WC Docket No. 13-184; DA 22-1315, released on December 14, 2022. Due to the COVID-19 pandemic, the Commission's headquarters will be closed to the general public until further notice. The full text of this document is available at the following internet address: https://www.fcc.gov/​document/​fcc-seeks-comment-using-e-rate-funding-support-remote-learning.

Proceedings in this Notice shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in Start Printed Page 1036 his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule § 1.1206(b). In proceedings governed by rule § 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format ( e.g.,.doc, .xml, .ppt, searchable .pdf). Participants in these proceedings should familiarize themselves with the Commission's ex parte rules.

1. The Commission has received several petitions and requests from E-Rate stakeholders through the annual E-Rate eligible services list (ESL) proceedings, asking that the Commission permit the use of E-Rate program funds to support advanced or next-generation firewalls and services, as well as other network security services. By this Notice, the Bureau seeks comment on these petitions as well as the related funding year 2023 ESL proceeding filings. In so doing, the Bureau highlights four filings in the following that together cover the requests and issues raised by the filers listed in the following: (1) a petition for waiver filed by Cisco Systems, Inc. (Cisco); (2) a petition for declaratory ruling and petition for rulemaking filed by a coalition led by the Consortium for School Networking (CoSN); (3) a proposed three-year E-Rate cybersecurity pilot program by Funds for Learning (FFL); and (4) a letter from 20 national educational groups led by AASA, The School Superintendents Association (AASA).

2. The Petitions and ESL Filings. During the COVID-19 pandemic, several E-Rate stakeholders submitted petitions asking the Commission to reconsider the eligibility of advanced firewall and network security services given the increased use of schools' broadband networks to provide remote learning to their students. On August 20, 2020, Cisco submitted a Petition for Waiver asking that Commission raise applicants' Category Two budgets by 10% and allow Category Two funding to be used for advanced network security services during the COVID-19 pandemic ( i.e., for funding years 2020 and 2021). On February 8, 2021, the Commission received a petition for declaratory ruling and petition for rulemaking from a group of E-Rate program stakeholders (including CoSN, Alliance for Excellence in Education, State Educational Technology Directors Association (SETDA), Council of the Great City Schools, State E-Rate Coordinators' Alliance (SECA), and Schools, Health & Libraries Broadband (SHLB) Coalition) (collectively, Petitioners) requesting that the definition of “firewall” be modified to include all firewall and related features ( e.g., next generation firewall protection, endpoint protection, and advanced security) and to update the definition of broadband to include cybersecurity. CoSN, along with FFL, provided a study and the costs associated with adding advanced firewall and other network security services to the E-Rate program and estimated that it would cost the program about $2.389 billion annually to fund these advanced network security services for all K-12 schools. The Petitioners also asked the Commission to increase the current Category Two budgets to include additional funding for advanced firewall and other network security services.

3. In October 2021, the President signed the K-12 Cybersecurity Act of 2021, which directed the U.S. Department of Homeland Security to conduct a study of K-12 cybersecurity risks that addresses the specific risks that impact K-12 educations institutions; evaluates cybersecurity challenges K-12 educational institutions face; and identifies cybersecurity challenges related to remote learning. The Bureau declined to expand the eligibility of advanced firewalls and services or add additional network security services for funding year 2022, explaining that “this legislation and forthcoming report will provide invaluable insights into what cybersecurity services will be most impactful for K-12 educational institutions.”

4. As part of the funding year 2023 ESL proceeding, a diverse group of E-Rate stakeholders submitted comments, reply comments, and ex parte submissions requesting that the Commission reconsider its earlier eligibility decisions and clarify that advanced or next-generation firewalls and services are eligible for E-Rate support. As part of this proceeding, AASA, along with 19 other national educational organizations, requested that the Commission take a measured approach in deciding whether to expand the eligibility of advanced firewalls and services, as well as other cybersecurity services. These stakeholders urge the Commission to work collaboratively with other federal agencies to “determine the products and services that are available and effective in responding to and preventing cyberattacks . . . schools should not be driving the response to cyberattacks, nor should E-Rate, the only federal funding stream supporting connectivity in schools, be repurposed/redirected for this important effort.”

5. On October 20, 2022, the U.S. Government Accountability Office (GAO) published a report finding that additional federal coordination is needed to enhance K-12 school cybersecurity. The GAO recommended that the Secretary of Education: (1) establish a collaborative mechanism, such as a government coordinating council, to coordinate cybersecurity efforts between federal agencies and with the K-12 school community; (2) develop metrics for obtaining feedback to measure the effectiveness of the Department of Education's cybersecurity-related products and services for school districts; and (3) coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) to determine how best to help school districts overcome the identified challenges and consider the identified opportunities for addressing cyber threats as appropriate. The GAO further recommended that the Secretary of the Department of Homeland Security should ensure that the Director of CISA develops metrics for measuring the effectiveness of its K-12 cybersecurity-related products and services that are available for school districts and determine the extent that CISA meets the needs of state and local-level school districts to combat cybersecurity threats.

6. Most recently, on November 15, 2022, the Commission received a proposal for a three-year pilot program to fund advanced firewalls and services as a Category Two service. FFL proposes that the Commission establish a three-year pilot program to fund advanced firewalls and services as a Category Two service. FFL also proposes that a funding cap of at least $60 million to $120 million be used as the funding cap for each of the three years. FFL further proposes that in the event demand exceeds available funds, that the pilot funding be prioritized to the applicants with the highest discount rates, and that the Commission deny funding for the remaining applicants with lower discount rates when the capped pilot funds are exhausted.

7. The Bureau seeks comment on these and other issues raised by the referenced petitions and filings. To focus our consideration of these Start Printed Page 1037 requests, the Bureau offers several more specific areas of inquiry in the following.

8. Definition of Advanced or Next-Generation Firewalls and Services. In the E-Rate program, firewall is currently defined as “a hardware and software combination that sits at the boundary between an organization's network and the outside world, and protects the network against unauthorized access or intrusions.” The Bureau seeks comment on this definition and, as discussed in the following, whether any modifications may be appropriate.

9. Eligible Equipment and Services and their Costs. The Bureau further seeks comment on the specific equipment and services that E-Rate should support to fund as advanced or next-generation firewalls and services, as well as the costs associated with funding these services. For example, Fortinet requests E-Rate support for advanced or next-generation firewalls and services that include the following capabilities: intrusion prevention/intrusion detection (IPS/IDS); virtual private networks; distributed denial-of-service (DDoS) protection; and network access control (NAC). FFL suggests advanced firewall features should include “intrusion detection/prevention, malware detection/filtering, application control/visibility, antispam services, URL/DNS filtering, and endpoint-related protections.” What are the advanced or next-generation firewalls and services needed to protect schools' and libraries' broadband networks from cyberattacks? What advanced firewall services should be considered to be eligible “advanced or next-generation services” for E-Rate support? How should funding for these advanced services be prioritized, given that there is not sufficient E-Rate support to fund every advanced or next-generation firewall service? For example, should end-point related protections be excluded from E-Rate eligible “advanced or next-generation firewalls and services? Why or why not? The Bureau also seeks comment on whether firewall as a service (FWaaS) should be eligible for E-Rate support. The Bureau encourages schools, libraries, and other stakeholders that have recent experience with advanced firewall services and the related-costs to provide specific information about the services they are purchasing, the costs they are paying, and what they have done to ensure these services and equipment are sufficient to protect their broadband networks and that the costs are reasonable.

10. Considering the E-Rate program's limited funds and the evolving connectivity needs of schools and libraries, should the Commission expand E-Rate support to fund advanced or next-generation firewalls and services, or continue to fund only basic firewalls and services as is currently allowed in the E-Rate program? Why or why not? Do commenters believe that expanding support to include advanced or next-generation firewalls and services is a prudent use of limited E-Rate funds? Would doing so affect the E-Rate program's longstanding goal of basic connectivity? Instead of expanding the eligibility of firewalls and services at this time, should the Commission continue working with its federal partners, including CISA and the Department of Education to develop a holistic approach to address and prevent cyberattacks against the K-12 schools and libraries? For example, are any non-E-Rate funded services and equipment needed to fully address and prevent these cyberattacks, such as training and implementing a cybersecurity framework and program at each school and library? Will providing funding only for advanced or next-generation firewalls and services be sufficient to protect K-12 schools' and libraries networks from cyberattacks? Is the amount of E-Rate funding allowed under its funding cap sufficient to cover all of the eligible schools' and libraries' connectivity needs, as well as their advanced firewall and other network security services? The Bureau seeks comment on these questions.

11. Categorization of Firewall Services and Components. Currently, pursuant to the Commission's rules, basic firewall service provided as part of the vendor's internet access service is eligible as a Category One service. Separately priced basic firewall services and components are eligible as a Category Two service. The Bureau seeks comment on whether advanced or next-generation firewall services and components should be eligible as a Category One and/or Category Two service. For example, if FWaaS is determined eligible for E-Rate support, should FWaaS be eligible for Category One and/or Category Two support? Should advanced or next-generation firewalls and services only be eligible for Category Two support and subject to the applicant's five-year Category Two budget? Why or why not? If advanced firewall or next generation services should be eligible as both a Category One and Category Two service, how should the Commission delineate these services as a Category One and as a Category Two service? The Bureau seeks comment on these questions.

12. Cost-Effective Purchases. If the Commission makes advanced or next-generation firewall services eligible as only Category Two service, would this be an effective way to ensure applicants are making cost-effective choices when requesting these services and equipment? Are there other measures the Commission could adopt to ensure cost-effective purchases of advanced or next-generation firewalls and services are being made? Should funding be limited to only cloud-based advanced or next-generation firewalls and services to ensure funding is not spent on firewall equipment that will need to be replaced every three to five years? What are other steps the Commission could take to ensure that limited E-Rate funds are cost-effectively used for advanced or next-generation firewalls and services? How can these limited funds be allocated to ensure applicants are making cost-effective purchases? What steps should the Commission take to ensure the constrained E-Rate funds are available for its primary purposes of bringing connectivity to and within the schools and libraries in light of the significant annual costs associated with advanced or next-generation firewalls and services?

13. Legal Issues. Sections 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the Communications Act collectively grant the Commission broad and flexible authority to set the list of services that will be supported for eligible schools and libraries, as well as to design the specific mechanisms of support. CoSN and Fortinet agree, and urge the Commission to use its statutory authority to extend E-Rate eligibility to advanced or next-generation firewalls and services. The Bureau invites other stakeholders to comment on the Commission's legal authority to add advanced or next-generation firewalls and services as an eligible service for the E-Rate program. Do other stakeholders agree that the addition of these services is within the scope of the Commission's legal authority? Are there other legal issues or concerns the Commission should consider before extending E-Rate support to advanced or next-generation firewalls and services? Are there statutory limitations that the Commission should consider? What are these limitations? The Bureau seeks comment on these questions.